diff mbox series

[v2,2/4] cxl: add missing return to cdat read error path

Message ID 168382793506.3510737.4792518576623749076.stgit@djiang5-mobl3
State Accepted
Commit 764d102ef94e880ca834a7fe3968a00a05b1fb12
Headers show
Series cxl: Prep for QoS class support | expand

Commit Message

Dave Jiang May 11, 2023, 5:58 p.m. UTC
Add a return to the error path when cxl_cdat_read_table() fails. Current
code continues with the table pointer points to freed memory.

Fixes: 4f8a8f10c2f5 ("cxl/pci: Simplify CDAT retrieval error path")
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
 drivers/cxl/core/pci.c |    1 +
 1 file changed, 1 insertion(+)

Comments

Dan Williams May 11, 2023, 11:59 p.m. UTC | #1
Dave Jiang wrote:
> Add a return to the error path when cxl_cdat_read_table() fails. Current
> code continues with the table pointer points to freed memory.

Yikes, at least the attribute is BIN_ATTR_ADMIN_RO(), but still bad.
Will mark this as an urgent fix.
Jonathan Cameron May 15, 2023, 10:03 a.m. UTC | #2
On Thu, 11 May 2023 16:59:38 -0700
Dan Williams <dan.j.williams@intel.com> wrote:

> Dave Jiang wrote:
> > Add a return to the error path when cxl_cdat_read_table() fails. Current
> > code continues with the table pointer points to freed memory.  
> 
> Yikes, at least the attribute is BIN_ATTR_ADMIN_RO(), but still bad.
> Will mark this as an urgent fix.

I see it's already gone upstream but fwiw

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

I first thought we were saved because the cdat_length parameter
would be set to 0, but nope, that will have the value from the
earlier cxl_cdat_get_length() so if that succeeds and the later
table readout doesn't we indeed end up in a mess..
diff mbox series

Patch

diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
index bdbd907884ce..f332fe7af92b 100644
--- a/drivers/cxl/core/pci.c
+++ b/drivers/cxl/core/pci.c
@@ -571,6 +571,7 @@  void read_cdat_data(struct cxl_port *port)
 		/* Don't leave table data allocated on error */
 		devm_kfree(dev, cdat_table);
 		dev_err(dev, "CDAT data read error\n");
+		return;
 	}
 
 	port->cdat.table = cdat_table + sizeof(__le32);