Lukas Wunner wrote: > cxl_cdat_get_length() only checks whether the DOE response size is > sufficient for the Table Access response header (1 dword), but not the > succeeding CDAT header (1 dword length plus other fields). > > It thus returns whatever uninitialized memory happens to be on the stack > if a truncated DOE response with only 1 dword was received. Fix it. > > Fixes: c97006046c79 ("cxl/port: Read CDAT table") > Reported-by: Ming Li <ming4.li@xxxxxxxxx> > Tested-by: Ira Weiny <ira.weiny@xxxxxxxxx> > Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx # v6.0+ > --- > Changes v2 -> v3: > * Newly added patch in v3 > > drivers/cxl/core/pci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c > index d3cf1d9d67d4..11a85b3a9a0b 100644 > --- a/drivers/cxl/core/pci.c > +++ b/drivers/cxl/core/pci.c > @@ -528,7 +528,7 @@ static int cxl_cdat_get_length(struct device *dev, > return rc; > } > wait_for_completion(&t.c); > - if (t.task.rv < sizeof(u32)) > + if (t.task.rv < 2 * sizeof(u32)) > return -EIO; Looks good, I wonder since this is standard for all data objects whether the check should be pushed into the core? For now this is easier to backport, but a follow-on could push it down a level. Reviewed-by: Dan Williams <dan.j.williams@xxxxxxxxx>