mirror of
https://github.com/hardkernel/linux.git
synced 2026-06-05 18:41:58 +09:00
cxl/pci: Handle truncated CDAT header
commit34bafc747cupstream. cxl_cdat_get_length() only checks whether the DOE response size is sufficient for the Table Access response header (1 dword), but not the succeeding CDAT header (1 dword length plus other fields). It thus returns whatever uninitialized memory happens to be on the stack if a truncated DOE response with only 1 dword was received. Fix it. Fixes:c97006046c("cxl/port: Read CDAT table") Reported-by: Ming Li <ming4.li@intel.com> Tested-by: Ira Weiny <ira.weiny@intel.com> Signed-off-by: Lukas Wunner <lukas@wunner.de> Reviewed-by: Ming Li <ming4.li@intel.com> Reviewed-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Cc: stable@vger.kernel.org # v6.0+ Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Link: https://lore.kernel.org/r/000e69cd163461c8b1bc2cf4155b6e25402c29c7.1678543498.git.lukas@wunner.de Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Lukas Wunner
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
021544721f
commit
ff7edd1ac6
@@ -531,7 +531,7 @@ static int cxl_cdat_get_length(struct device *dev,
|
||||
return rc;
|
||||
}
|
||||
wait_for_completion(&t.c);
|
||||
if (t.task.rv < sizeof(__le32))
|
||||
if (t.task.rv < 2 * sizeof(__le32))
|
||||
return -EIO;
|
||||
|
||||
*length = le32_to_cpu(t.response_pl[1]);
|
||||
|
||||
Reference in New Issue
Block a user