| Message ID | 168382793506.3510737.4792518576623749076.stgit@djiang5-mobl3 |
|---|---|
| State | Accepted |
| Commit | 764d102ef94e880ca834a7fe3968a00a05b1fb12 |
| Headers | show |
| Series | cxl: Prep for QoS class support | expand |
Dave Jiang wrote: > Add a return to the error path when cxl_cdat_read_table() fails. Current > code continues with the table pointer points to freed memory. Yikes, at least the attribute is BIN_ATTR_ADMIN_RO(), but still bad. Will mark this as an urgent fix.
On Thu, 11 May 2023 16:59:38 -0700 Dan Williams <dan.j.williams@intel.com> wrote: > Dave Jiang wrote: > > Add a return to the error path when cxl_cdat_read_table() fails. Current > > code continues with the table pointer points to freed memory. > > Yikes, at least the attribute is BIN_ATTR_ADMIN_RO(), but still bad. > Will mark this as an urgent fix. I see it's already gone upstream but fwiw Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> I first thought we were saved because the cdat_length parameter would be set to 0, but nope, that will have the value from the earlier cxl_cdat_get_length() so if that succeeds and the later table readout doesn't we indeed end up in a mess..
diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c index bdbd907884ce..f332fe7af92b 100644 --- a/drivers/cxl/core/pci.c +++ b/drivers/cxl/core/pci.c @@ -571,6 +571,7 @@ void read_cdat_data(struct cxl_port *port) /* Don't leave table data allocated on error */ devm_kfree(dev, cdat_table); dev_err(dev, "CDAT data read error\n"); + return; } port->cdat.table = cdat_table + sizeof(__le32);
Add a return to the error path when cxl_cdat_read_table() fails. Current code continues with the table pointer points to freed memory. Fixes: 4f8a8f10c2f5 ("cxl/pci: Simplify CDAT retrieval error path") Signed-off-by: Dave Jiang <dave.jiang@intel.com> --- drivers/cxl/core/pci.c | 1 + 1 file changed, 1 insertion(+)