From: Lukas Wunner lukas@wunner.de
commit 34bafc747c54fb58c1908ec3116fa6137393e596 upstream.
cxl_cdat_get_length() only checks whether the DOE response size is sufficient for the Table Access response header (1 dword), but not the succeeding CDAT header (1 dword length plus other fields).
It thus returns whatever uninitialized memory happens to be on the stack if a truncated DOE response with only 1 dword was received. Fix it.
Fixes: c97006046c79 ("cxl/port: Read CDAT table") Reported-by: Ming Li ming4.li@intel.com Tested-by: Ira Weiny ira.weiny@intel.com Signed-off-by: Lukas Wunner lukas@wunner.de Reviewed-by: Ming Li ming4.li@intel.com Reviewed-by: Dan Williams dan.j.williams@intel.com Reviewed-by: Jonathan Cameron Jonathan.Cameron@huawei.com Cc: stable@vger.kernel.org # v6.0+ Reviewed-by: Kuppuswamy Sathyanarayanan sathyanarayanan.kuppuswamy@linux.intel.com Link: https://lore.kernel.org/r/000e69cd163461c8b1bc2cf4155b6e25402c29c7.167854349... Signed-off-by: Dan Williams dan.j.williams@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/cxl/core/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cxl/core/pci.c +++ b/drivers/cxl/core/pci.c @@ -528,7 +528,7 @@ static int cxl_cdat_get_length(struct de return rc; } wait_for_completion(&t.c); - if (t.task.rv < sizeof(__le32)) + if (t.task.rv < 2 * sizeof(__le32)) return -EIO;
*length = le32_to_cpu(t.response_pl[1]);