From patchwork Tue Nov 24 18:49:57 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Helgaas X-Patchwork-Id: 7692811 X-Patchwork-Delegate: bhelgaas@google.com Return-Path: X-Original-To: patchwork-linux-pci@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6C4BFBF90C for ; Tue, 24 Nov 2015 18:50:08 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 85605207C0 for ; Tue, 24 Nov 2015 18:50:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 35F0A2088D for ; Tue, 24 Nov 2015 18:50:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751615AbbKXSuB (ORCPT ); Tue, 24 Nov 2015 13:50:01 -0500 Received: from mail.kernel.org ([198.145.29.136]:58846 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751292AbbKXSuB (ORCPT ); Tue, 24 Nov 2015 13:50:01 -0500 Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E9BEC2088D; Tue, 24 Nov 2015 18:49:59 +0000 (UTC) Received: from localhost (unknown [69.71.1.1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0BCCD207C0; Tue, 24 Nov 2015 18:49:58 +0000 (UTC) Date: Tue, 24 Nov 2015 12:49:57 -0600 From: Bjorn Helgaas To: Mathias Krause Cc: Bjorn Helgaas , linux-pci@vger.kernel.org, Sasha Levin , Prarit Bhargava Subject: Re: [PATCH v2] PCI: Prevent out of bounds access in numa_node override - part 2 Message-ID: <20151124184957.GB27957@localhost> References: <1447095627-12798-1-git-send-email-minipli@googlemail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1447095627-12798-1-git-send-email-minipli@googlemail.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-pci-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pci@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Nov 09, 2015 at 08:00:27PM +0100, Mathias Krause wrote: > Commit 1266963170f5 ("PCI: Prevent out of bounds access in numa_node > override") missed that the user provided node could also be negative. > Handle this case as well to avoid out-of-bounds accesses to the > node_states[] array. However, allow the special value -1, i.e. > NUMA_NO_NODE, to be able to set the 'no specific node' configuration. > > Fixes: 1266963170f5 ("PCI: Prevent out of bounds access in numa_node...") > Signed-off-by: Mathias Krause > Cc: Sasha Levin > Cc: Prarit Bhargava > Cc: stable@vger.kernel.org # v3.19+ Applied as tweaked below to for-linus for v4.4, thanks! As written, if NUMA_NO_NODE were defined as -2, we would incorrectly accept -1. Let me know if you disagree with my fix. > --- > v2: allow NUMA_NO_NODE > > drivers/pci/pci-sysfs.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > index 92618686604c..6e9818227b19 100644 > --- a/drivers/pci/pci-sysfs.c > +++ b/drivers/pci/pci-sysfs.c > @@ -216,7 +216,10 @@ static ssize_t numa_node_store(struct device *dev, > if (ret) > return ret; > > - if (node >= MAX_NUMNODES || !node_online(node)) > + if (node < NUMA_NO_NODE || node >= MAX_NUMNODES) > + return -EINVAL; > + > + if (node != NUMA_NO_NODE && !node_online(node)) > return -EINVAL; > > add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); commit 2a35194c5a45fbb9ca1d88bc56804dfb51a75233 Author: Mathias Krause Date: Mon Nov 9 20:00:27 2015 +0100 PCI: Prevent out of bounds access in numa_node override Commit 1266963170f5 ("PCI: Prevent out of bounds access in numa_node override") missed that the user-provided node could also be negative. Handle this case as well to avoid out-of-bounds accesses to the node_states[] array. However, allow the special value -1, i.e. NUMA_NO_NODE, to be able to set the 'no specific node' configuration. [bhelgaas: remove assumption that NUMA_NO_NODE == -1] Fixes: 1266963170f5 ("PCI: Prevent out of bounds access in numa_node override") Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs") Signed-off-by: Mathias Krause Signed-off-by: Bjorn Helgaas CC: Sasha Levin CC: Prarit Bhargava CC: stable@vger.kernel.org # v3.19+ --- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 9261868..50f4747 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -216,7 +216,12 @@ static ssize_t numa_node_store(struct device *dev, if (ret) return ret; - if (node >= MAX_NUMNODES || !node_online(node)) + if (node < 0 || node >= MAX_NUMNODES) { + if (node != NUMA_NO_NODE) + return -EINVAL; + } + + if (node != NUMA_NO_NODE && !node_online(node)) return -EINVAL; add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);