* [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
@ 2021-10-13 18:19 Heiner Kallweit
2021-10-13 18:53 ` Bjorn Helgaas
2021-10-25 20:57 ` Bjorn Helgaas
0 siblings, 2 replies; 5+ messages in thread
From: Heiner Kallweit @ 2021-10-13 18:19 UTC (permalink / raw)
To: Bjorn Helgaas; +Cc: linux-pci, Qian Cai
Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
access") interferes with the original change, resulting in a stack
overflow. The following fix has been successfully tested by Qian
and myself.
Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
Reported-by: Qian Cai <quic_qiancai@quicinc.com>
Tested-by: Qian Cai <quic_qiancai@quicinc.com>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
---
drivers/pci/vpd.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
index 5108bbd20..a4fc4d069 100644
--- a/drivers/pci/vpd.c
+++ b/drivers/pci/vpd.c
@@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
return off ?: PCI_VPD_SZ_INVALID;
}
-static bool pci_vpd_available(struct pci_dev *dev)
+static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
{
struct pci_vpd *vpd = &dev->vpd;
if (!vpd->cap)
return false;
- if (vpd->len == 0) {
+ if (vpd->len == 0 && check_size) {
vpd->len = pci_vpd_size(dev);
if (vpd->len == PCI_VPD_SZ_INVALID) {
vpd->cap = 0;
@@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
void *arg, bool check_size)
{
struct pci_vpd *vpd = &dev->vpd;
- unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
+ unsigned int max_len;
int ret = 0;
loff_t end = pos + count;
u8 *buf = arg;
- if (!pci_vpd_available(dev))
+ if (!pci_vpd_available(dev, check_size))
return -ENODEV;
if (pos < 0)
return -EINVAL;
+ max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
+
if (pos >= max_len)
return 0;
@@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
const void *arg, bool check_size)
{
struct pci_vpd *vpd = &dev->vpd;
- unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
+ unsigned int max_len;
const u8 *buf = arg;
loff_t end = pos + count;
int ret = 0;
- if (!pci_vpd_available(dev))
+ if (!pci_vpd_available(dev, check_size))
return -ENODEV;
if (pos < 0 || (pos & 3) || (count & 3))
return -EINVAL;
+ max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
+
if (end > max_len)
return -EINVAL;
@@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
void *buf;
int cnt;
- if (!pci_vpd_available(dev))
+ if (!pci_vpd_available(dev, true))
return ERR_PTR(-ENODEV);
len = dev->vpd.len;
--
2.33.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
2021-10-13 18:19 [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any() Heiner Kallweit
@ 2021-10-13 18:53 ` Bjorn Helgaas
2021-10-13 19:12 ` Heiner Kallweit
2021-10-25 20:57 ` Bjorn Helgaas
1 sibling, 1 reply; 5+ messages in thread
From: Bjorn Helgaas @ 2021-10-13 18:53 UTC (permalink / raw)
To: Heiner Kallweit; +Cc: Bjorn Helgaas, linux-pci, Qian Cai
On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
> Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
> access") interferes with the original change, resulting in a stack
> overflow. The following fix has been successfully tested by Qian
> and myself.
What does "the original change" refer to? 80484b7f8db1? I guess the
stack overflow is an unintended recursion? Is there a URL to Qian's
bug report with more details that we can include here?
> Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
> Reported-by: Qian Cai <quic_qiancai@quicinc.com>
> Tested-by: Qian Cai <quic_qiancai@quicinc.com>
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> ---
> drivers/pci/vpd.c | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> index 5108bbd20..a4fc4d069 100644
> --- a/drivers/pci/vpd.c
> +++ b/drivers/pci/vpd.c
> @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
> return off ?: PCI_VPD_SZ_INVALID;
> }
>
> -static bool pci_vpd_available(struct pci_dev *dev)
> +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
>
> if (!vpd->cap)
> return false;
>
> - if (vpd->len == 0) {
> + if (vpd->len == 0 && check_size) {
> vpd->len = pci_vpd_size(dev);
> if (vpd->len == PCI_VPD_SZ_INVALID) {
> vpd->cap = 0;
> @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
> void *arg, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> + unsigned int max_len;
> int ret = 0;
> loff_t end = pos + count;
> u8 *buf = arg;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, check_size))
> return -ENODEV;
>
> if (pos < 0)
> return -EINVAL;
>
> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> +
> if (pos >= max_len)
> return 0;
>
> @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
> const void *arg, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> + unsigned int max_len;
> const u8 *buf = arg;
> loff_t end = pos + count;
> int ret = 0;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, check_size))
> return -ENODEV;
>
> if (pos < 0 || (pos & 3) || (count & 3))
> return -EINVAL;
>
> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> +
> if (end > max_len)
> return -EINVAL;
>
> @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
> void *buf;
> int cnt;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, true))
> return ERR_PTR(-ENODEV);
>
> len = dev->vpd.len;
> --
> 2.33.0
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
2021-10-13 18:53 ` Bjorn Helgaas
@ 2021-10-13 19:12 ` Heiner Kallweit
0 siblings, 0 replies; 5+ messages in thread
From: Heiner Kallweit @ 2021-10-13 19:12 UTC (permalink / raw)
To: Bjorn Helgaas; +Cc: Bjorn Helgaas, linux-pci, Qian Cai
On 13.10.2021 20:53, Bjorn Helgaas wrote:
> On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
>> Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
>> access") interferes with the original change, resulting in a stack
>> overflow. The following fix has been successfully tested by Qian
>> and myself.
>
> What does "the original change" refer to? 80484b7f8db1? I guess the
> stack overflow is an unintended recursion? Is there a URL to Qian's
> bug report with more details that we can include here?
>
1. yes
2. yes
3. https://lore.kernel.org/netdev/e89087c5-c495-c5ca-feb1-54cf3a8775c5@quicinc.com/
>> Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
>> Reported-by: Qian Cai <quic_qiancai@quicinc.com>
>> Tested-by: Qian Cai <quic_qiancai@quicinc.com>
>> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
>> ---
>> drivers/pci/vpd.c | 18 +++++++++++-------
>> 1 file changed, 11 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
>> index 5108bbd20..a4fc4d069 100644
>> --- a/drivers/pci/vpd.c
>> +++ b/drivers/pci/vpd.c
>> @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
>> return off ?: PCI_VPD_SZ_INVALID;
>> }
>>
>> -static bool pci_vpd_available(struct pci_dev *dev)
>> +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
>> {
>> struct pci_vpd *vpd = &dev->vpd;
>>
>> if (!vpd->cap)
>> return false;
>>
>> - if (vpd->len == 0) {
>> + if (vpd->len == 0 && check_size) {
>> vpd->len = pci_vpd_size(dev);
>> if (vpd->len == PCI_VPD_SZ_INVALID) {
>> vpd->cap = 0;
>> @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
>> void *arg, bool check_size)
>> {
>> struct pci_vpd *vpd = &dev->vpd;
>> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> + unsigned int max_len;
>> int ret = 0;
>> loff_t end = pos + count;
>> u8 *buf = arg;
>>
>> - if (!pci_vpd_available(dev))
>> + if (!pci_vpd_available(dev, check_size))
>> return -ENODEV;
>>
>> if (pos < 0)
>> return -EINVAL;
>>
>> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> +
>> if (pos >= max_len)
>> return 0;
>>
>> @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
>> const void *arg, bool check_size)
>> {
>> struct pci_vpd *vpd = &dev->vpd;
>> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> + unsigned int max_len;
>> const u8 *buf = arg;
>> loff_t end = pos + count;
>> int ret = 0;
>>
>> - if (!pci_vpd_available(dev))
>> + if (!pci_vpd_available(dev, check_size))
>> return -ENODEV;
>>
>> if (pos < 0 || (pos & 3) || (count & 3))
>> return -EINVAL;
>>
>> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
>> +
>> if (end > max_len)
>> return -EINVAL;
>>
>> @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
>> void *buf;
>> int cnt;
>>
>> - if (!pci_vpd_available(dev))
>> + if (!pci_vpd_available(dev, true))
>> return ERR_PTR(-ENODEV);
>>
>> len = dev->vpd.len;
>> --
>> 2.33.0
>>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
2021-10-13 18:19 [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any() Heiner Kallweit
2021-10-13 18:53 ` Bjorn Helgaas
@ 2021-10-25 20:57 ` Bjorn Helgaas
2021-10-26 0:22 ` Bjorn Helgaas
1 sibling, 1 reply; 5+ messages in thread
From: Bjorn Helgaas @ 2021-10-25 20:57 UTC (permalink / raw)
To: Heiner Kallweit; +Cc: Bjorn Helgaas, linux-pci, Qian Cai
On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
> Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
> access") interferes with the original change, resulting in a stack
> overflow. The following fix has been successfully tested by Qian
> and myself.
>
> Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
> Reported-by: Qian Cai <quic_qiancai@quicinc.com>
> Tested-by: Qian Cai <quic_qiancai@quicinc.com>
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
What does this apply to?
> ---
> drivers/pci/vpd.c | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> index 5108bbd20..a4fc4d069 100644
> --- a/drivers/pci/vpd.c
> +++ b/drivers/pci/vpd.c
> @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
> return off ?: PCI_VPD_SZ_INVALID;
> }
>
> -static bool pci_vpd_available(struct pci_dev *dev)
> +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
>
> if (!vpd->cap)
> return false;
>
> - if (vpd->len == 0) {
> + if (vpd->len == 0 && check_size) {
> vpd->len = pci_vpd_size(dev);
> if (vpd->len == PCI_VPD_SZ_INVALID) {
> vpd->cap = 0;
> @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
> void *arg, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> + unsigned int max_len;
> int ret = 0;
> loff_t end = pos + count;
> u8 *buf = arg;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, check_size))
> return -ENODEV;
>
> if (pos < 0)
> return -EINVAL;
>
> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> +
> if (pos >= max_len)
> return 0;
>
> @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
> const void *arg, bool check_size)
> {
> struct pci_vpd *vpd = &dev->vpd;
> - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> + unsigned int max_len;
> const u8 *buf = arg;
> loff_t end = pos + count;
> int ret = 0;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, check_size))
> return -ENODEV;
>
> if (pos < 0 || (pos & 3) || (count & 3))
> return -EINVAL;
>
> + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> +
> if (end > max_len)
> return -EINVAL;
>
> @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
> void *buf;
> int cnt;
>
> - if (!pci_vpd_available(dev))
> + if (!pci_vpd_available(dev, true))
> return ERR_PTR(-ENODEV);
>
> len = dev->vpd.len;
> --
> 2.33.0
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any()
2021-10-25 20:57 ` Bjorn Helgaas
@ 2021-10-26 0:22 ` Bjorn Helgaas
0 siblings, 0 replies; 5+ messages in thread
From: Bjorn Helgaas @ 2021-10-26 0:22 UTC (permalink / raw)
To: Heiner Kallweit; +Cc: Bjorn Helgaas, linux-pci, Qian Cai
On Mon, Oct 25, 2021 at 03:57:00PM -0500, Bjorn Helgaas wrote:
> On Wed, Oct 13, 2021 at 08:19:59PM +0200, Heiner Kallweit wrote:
> > Recent bug fix 00e1a5d21b4f ("PCI/VPD: Defer VPD sizing until first
> > access") interferes with the original change, resulting in a stack
> > overflow. The following fix has been successfully tested by Qian
> > and myself.
> >
> > Fixes: 80484b7f8db1 ("PCI/VPD: Use pci_read_vpd_any() in pci_vpd_size()")
> > Reported-by: Qian Cai <quic_qiancai@quicinc.com>
> > Tested-by: Qian Cai <quic_qiancai@quicinc.com>
> > Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
>
> What does this apply to?
Never mind, I'm an idiot. Obviously this fixes 80484b7f8db1 which is
a commit on my pci/vpd branch, and this patch applies there. Duh.
Anyway, I squashed this into that fix to avoid a bisection hole and
updated pci/vpd and my "next" branch
> > ---
> > drivers/pci/vpd.c | 18 +++++++++++-------
> > 1 file changed, 11 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> > index 5108bbd20..a4fc4d069 100644
> > --- a/drivers/pci/vpd.c
> > +++ b/drivers/pci/vpd.c
> > @@ -96,14 +96,14 @@ static size_t pci_vpd_size(struct pci_dev *dev)
> > return off ?: PCI_VPD_SZ_INVALID;
> > }
> >
> > -static bool pci_vpd_available(struct pci_dev *dev)
> > +static bool pci_vpd_available(struct pci_dev *dev, bool check_size)
> > {
> > struct pci_vpd *vpd = &dev->vpd;
> >
> > if (!vpd->cap)
> > return false;
> >
> > - if (vpd->len == 0) {
> > + if (vpd->len == 0 && check_size) {
> > vpd->len = pci_vpd_size(dev);
> > if (vpd->len == PCI_VPD_SZ_INVALID) {
> > vpd->cap = 0;
> > @@ -156,17 +156,19 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
> > void *arg, bool check_size)
> > {
> > struct pci_vpd *vpd = &dev->vpd;
> > - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > + unsigned int max_len;
> > int ret = 0;
> > loff_t end = pos + count;
> > u8 *buf = arg;
> >
> > - if (!pci_vpd_available(dev))
> > + if (!pci_vpd_available(dev, check_size))
> > return -ENODEV;
> >
> > if (pos < 0)
> > return -EINVAL;
> >
> > + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > +
> > if (pos >= max_len)
> > return 0;
> >
> > @@ -218,17 +220,19 @@ static ssize_t pci_vpd_write(struct pci_dev *dev, loff_t pos, size_t count,
> > const void *arg, bool check_size)
> > {
> > struct pci_vpd *vpd = &dev->vpd;
> > - unsigned int max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > + unsigned int max_len;
> > const u8 *buf = arg;
> > loff_t end = pos + count;
> > int ret = 0;
> >
> > - if (!pci_vpd_available(dev))
> > + if (!pci_vpd_available(dev, check_size))
> > return -ENODEV;
> >
> > if (pos < 0 || (pos & 3) || (count & 3))
> > return -EINVAL;
> >
> > + max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
> > +
> > if (end > max_len)
> > return -EINVAL;
> >
> > @@ -312,7 +316,7 @@ void *pci_vpd_alloc(struct pci_dev *dev, unsigned int *size)
> > void *buf;
> > int cnt;
> >
> > - if (!pci_vpd_available(dev))
> > + if (!pci_vpd_available(dev, true))
> > return ERR_PTR(-ENODEV);
> >
> > len = dev->vpd.len;
> > --
> > 2.33.0
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-26 0:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 18:19 [PATCH] PCI/VPD: Fix stack overflow caused by pci_read_vpd_any() Heiner Kallweit
2021-10-13 18:53 ` Bjorn Helgaas
2021-10-13 19:12 ` Heiner Kallweit
2021-10-25 20:57 ` Bjorn Helgaas
2021-10-26 0:22 ` Bjorn Helgaas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.