This patch delays the check of nd_reserved2 to the actual endpoint
(acpi_nfit_ctl) that uses it, as a prevention of a potential
double-fetch bug.
Detailed discussion can be found at
https://marc.info/?l=linux-kernel&m=150421938113092&w=2
Signed-off-by: Meng Xu <[email protected]>
---
drivers/acpi/nfit/core.c | 4 ++++
drivers/nvdimm/bus.c | 4 ----
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 19182d0..694b1b1 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -228,6 +228,10 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
if (cmd == ND_CMD_CALL) {
call_pkg = buf;
func = call_pkg->nd_command;
+
+ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
+ if (call_pkg->nd_reserved2[i])
+ return -EINVAL;
}
if (nvdimm) {
diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
index 937fafa..0fb9adb 100644
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -980,10 +980,6 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
dev_dbg(dev, "%s:%s, idx: %llu, in: %zu, out: %zu, len %zu\n",
__func__, dimm_name, pkg.nd_command,
in_len, out_len, buf_len);
-
- for (i = 0; i < ARRAY_SIZE(pkg.nd_reserved2); i++)
- if (pkg.nd_reserved2[i])
- return -EINVAL;
}
/* process an output envelope */
--
2.7.4
On Mon, Sep 4, 2017 at 8:34 AM, Meng Xu <[email protected]> wrote:
> This patch delays the check of nd_reserved2 to the actual endpoint
> (acpi_nfit_ctl) that uses it, as a prevention of a potential
> double-fetch bug.
>
> Detailed discussion can be found at
> https://marc.info/?l=linux-kernel&m=150421938113092&w=2
Thanks for doing this, I went ahead and copied this discussion into
the patch and applied it.