linux/drivers/nvdimm
Dan Williams efda1b5d87 acpi, nfit, libnvdimm: fix / harden ars_status output length handling
Given ambiguities in the ACPI 6.1 definition of the "Output (Size)"
field of the ARS (Address Range Scrub) Status command, a firmware
implementation may in practice return 0, 4, or 8 to indicate that there
is no output payload to process.

The specification states "Size of Output Buffer in bytes, including this
field.". However, 'Output Buffer' is also the name of the entire
payload, and earlier in the specification it states "Max Query ARS
Status Output Buffer Size: Maximum size of buffer (including the Status
and Extended Status fields)".

Without this fix if the BIOS happens to return 0 it causes memory
corruption as evidenced by this result from the acpi_nfit_ctl() unit
test.

 ars_status00000000: 00020000 00000000                    ........
 BUG: stack guard page was hit at ffffc90001750000 (stack is ffffc9000174c000..ffffc9000174ffff)
 kernel stack overflow (page fault): 0000 [#1] SMP DEBUG_PAGEALLOC
 task: ffff8803332d2ec0 task.stack: ffffc9000174c000
 RIP: 0010:[<ffffffff814cfe72>]  [<ffffffff814cfe72>] __memcpy+0x12/0x20
 RSP: 0018:ffffc9000174f9a8  EFLAGS: 00010246
 RAX: ffffc9000174fab8 RBX: 0000000000000000 RCX: 000000001fffff56
 RDX: 0000000000000000 RSI: ffff8803231f5a08 RDI: ffffc90001750000
 RBP: ffffc9000174fa88 R08: ffffc9000174fab0 R09: ffff8803231f54b8
 R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000003 R15: ffff8803231f54a0
 FS:  00007f3a611af640(0000) GS:ffff88033ed00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffc90001750000 CR3: 0000000325b20000 CR4: 00000000000406e0
 Stack:
  ffffffffa00bc60d 0000000000000008 ffffc90000000001 ffffc9000174faac
  0000000000000292 ffffffffa00c24e4 ffffffffa00c2914 0000000000000000
  0000000000000000 ffffffff00000003 ffff880331ae8ad0 0000000800000246
 Call Trace:
  [<ffffffffa00bc60d>] ? acpi_nfit_ctl+0x49d/0x750 [nfit]
  [<ffffffffa01f4fe0>] nfit_test_probe+0x670/0xb1b [nfit_test]

Cc: <stable@vger.kernel.org>
Fixes: 747ffe11b4 ("libnvdimm, tools/testing/nvdimm: fix 'ars_status' output buffer sizing")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2016-12-06 16:08:10 -08:00
..
Kconfig nvdimm: make CONFIG_NVDIMM_DAX 'bool' 2016-10-27 16:16:21 -07:00
Makefile libnvdimm, dax: introduce device-dax infrastructure 2016-05-09 15:35:42 -07:00
blk.c libnvdimm for 4.8 2016-07-28 17:38:16 -07:00
btt.c nvdimm, btt: add a size attribute for BTTs 2016-08-08 09:26:14 -07:00
btt.h libnvdimm, btt: consolidate arena validation 2015-08-14 13:43:04 -04:00
btt_devs.c nvdimm, btt: add a size attribute for BTTs 2016-08-08 09:26:14 -07:00
bus.c acpi, nfit, libnvdimm: fix / harden ars_status output length handling 2016-12-06 16:08:10 -08:00
claim.c libnvdimm, pmem: use nvdimm_flush() for namespace I/O writes 2016-07-12 15:13:48 -07:00
core.c Merge branch 'for-4.9/libnvdimm' into libnvdimm-for-next 2016-10-07 16:46:24 -07:00
dax_devs.c libnvdimm, dax: autodetect support 2016-05-20 22:02:57 -07:00
dimm.c libnvdimm: Fix nvdimm_probe error on NVDIMM-N 2016-09-01 18:20:39 -07:00
dimm_devs.c libnvdimm, namespace: enable allocation of multiple pmem namespaces 2016-10-07 09:22:53 -07:00
e820.c libnvdimm: move ->module to struct nvdimm_bus_descriptor 2016-07-21 20:03:19 -07:00
label.c libnvdimm, namespace: update label implementation for multi-pmem 2016-10-07 09:22:53 -07:00
label.h libnvdimm: write blk label set 2015-06-24 21:24:10 -04:00
namespace_devs.c libnvdimm, namespace: potential NULL deref on allocation error 2016-10-19 10:35:51 -07:00
nd-core.h libnvdimm, namespace: allow creation of multiple pmem-namespaces per region 2016-10-07 09:22:53 -07:00
nd.h Merge branch 'for-4.9/libnvdimm' into libnvdimm-for-next 2016-10-07 16:46:24 -07:00
pfn.h libnvdimm, dax: autodetect support 2016-05-20 22:02:57 -07:00
pfn_devs.c libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment 2016-06-23 17:50:39 -07:00
pmem.c pmem: report error on clear poison failure 2016-10-19 10:35:52 -07:00
pmem.h pmem: kill __pmem address space 2016-07-12 19:25:38 -07:00
region.c libnvdimm: keep region data alive over namespace removal 2016-07-11 16:13:41 -07:00
region_devs.c Merge branch 'for-4.9/libnvdimm' into libnvdimm-for-next 2016-10-07 16:46:24 -07:00