We have a problem with a device where each VPD read returns 0x33 [0]. This results in a valid VPD structure (except the tag id) and therefore pci_vpd_size() scans the full VPD address range. On an affected system this took ca. 80s. That's not acceptable, on the other hand we may not want to re-add the old tag checks. In addition these tag check still wouldn't be able to avoid the described scenario 100%. Instead let's add a simple sanity check on the number of found tags. A VPD image conforming to the PCI spec can have max. 4 tags: id string, ro section, rw section, end tag. [0] https://lore.kernel.org/lkml/20210915223218.GA1542966@bjorn-Precision-5520/ Signed-off-by: Heiner Kallweit <hkallweit1@xxxxxxxxx> --- drivers/pci/vpd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c index 4be248901..75e48df2e 100644 --- a/drivers/pci/vpd.c +++ b/drivers/pci/vpd.c @@ -56,6 +56,7 @@ static size_t pci_vpd_size(struct pci_dev *dev) { size_t off = 0, size; unsigned char tag, header[1+2]; /* 1 byte tag, 2 bytes length */ + int num_tags = 0; /* Otherwise the following reads would fail. */ dev->vpd.len = PCI_VPD_MAX_SIZE; @@ -66,6 +67,10 @@ static size_t pci_vpd_size(struct pci_dev *dev) if (off == 0 && (header[0] == 0x00 || header[0] == 0xff)) goto error; + /* We can have max 4 tags: STRING_ID, RO, RW, END */ + if (++num_tags > 4) + goto error; + if (header[0] & PCI_VPD_LRDT) { /* Large Resource Data Type Tag */ if (pci_read_vpd(dev, off + 1, 2, &header[1]) != 2) { -- 2.33.0
