From nobody Wed Apr 1 20:50:09 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C91932EBB8D for ; Wed, 1 Apr 2026 16:03:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775059406; cv=none; b=e22Zq7zD+Yw+aQsYBfyySiDllo/4GA7u/dEtAOPOsoo3yqps9I423AzMZCxAsxp/mo/XsLM2+IZWHb5mZFYDNs4fFeQSvhYziDBfGC5JOPs8H7s6yWr2LXDHAh6u1LCSy3XOq2zN9ZKTiOIxC/6ZK0mjWG71LlTo7593yJyHkZk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775059406; c=relaxed/simple; bh=TgY6qPv7zUeNoch+6J0ohRXxdjJQ98yA04cjGdcOS4Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=NuphYSiZamzmTsP/zVNCuVcdd56spZu0llWIBqhF5ilApXu4QCHe3KuC1OhetgQDub8n3KISAHrjFqK3kLL72CiaSZTMOWKxbtfv4EqZ5EPm9GlwqdomTZQNXpwPqLA+oJ2OtSq+cApcsQZqA0wN3vnXzS/i6jz9N1EQAE28fAE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAB3HmrEQc1p2BThCw--.34405S2; Thu, 02 Apr 2026 00:03:16 +0800 (CST) From: Pengpeng Hou To: maddy@linux.ibm.com Cc: mpe@ellerman.id.au, npiggin@gmail.com, chleroy@kernel.org, kees@kernel.org, srikar@linux.ibm.com, nathanl@linux.ibm.com, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH] powerpc/pseries/lparcfg: size the scratch buffer to the system parameter payload Date: Thu, 2 Apr 2026 00:03:16 +0800 Message-ID: <20260401160316.88551-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qwCowAB3HmrEQc1p2BThCw--.34405S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Ww18CrWUGFy7ur13WF1fCrg_yoW5JryxpF sYkr47KF4kGas0yFy7KF15Xr45W3Z09F1UWw48tas7Aa4aqrnIqF17Kr1Fvr48Gr1ft3Wr Zr9Ikw1rWFyDAr7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9Y14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26r1j6r4UM28EF7xvwVC2z280aVCY1x0267AKxVW8JV W8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2 Y2ka0xkIwI1lc7CjxVAaw2AFwI0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x 0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2 zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_JFI_Gr 1lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWU CwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCT nIWIevJa73UjIFyTuYvjfUoq2MUUUUU X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" parse_system_parameter_string() reads the shared processor LPAR attributes into a firmware buffer that can hold up to 4000 bytes, but it still tokenizes that payload through a fixed 1026-byte scratch buffer. A single long key-value fragment can therefore overrun the local parser buffer before the next comma delimiter is seen. Allocate the scratch buffer to the current payload size so tokenization stays within bounds. Fixes: fff9846be00c ("powerpc/pseries/lparcfg: convert to papr_sysparm API") Signed-off-by: Pengpeng Hou --- arch/powerpc/platforms/pseries/lparcfg.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platfo= rms/pseries/lparcfg.c index 8821c378bfff..c09f474c241e 100644 --- a/arch/powerpc/platforms/pseries/lparcfg.c +++ b/arch/powerpc/platforms/pseries/lparcfg.c @@ -385,8 +385,6 @@ static void read_lpar_name(struct seq_file *m) read_dt_lpar_name(m); } =20 -#define SPLPAR_MAXLENGTH 1026*(sizeof(char)) - /* * parse_system_parameter_string() * Retrieve the potential_processors, max_entitled_capacity and friends @@ -407,27 +405,32 @@ static void parse_system_parameter_string(struct seq_= file *m) const char *local_buffer; int splpar_strlen; int idx, w_idx; - char *workbuffer =3D kzalloc(SPLPAR_MAXLENGTH, GFP_KERNEL); - - if (!workbuffer) - goto out_free; + size_t workbuf_size; + char *workbuffer; =20 splpar_strlen =3D be16_to_cpu(buf->len); local_buffer =3D buf->val; + workbuf_size =3D splpar_strlen + 1; + + workbuffer =3D kzalloc(workbuf_size, GFP_KERNEL); + if (!workbuffer) + goto out_free; =20 w_idx =3D 0; idx =3D 0; - while ((*local_buffer) && (idx < splpar_strlen)) { + while ((idx < splpar_strlen) && local_buffer[idx]) { workbuffer[w_idx++] =3D local_buffer[idx++]; - if ((local_buffer[idx] =3D=3D ',') + if (idx >=3D splpar_strlen || + (local_buffer[idx] =3D=3D ',') || (local_buffer[idx] =3D=3D '\0')) { workbuffer[w_idx] =3D '\0'; if (w_idx) { /* avoid the empty string */ seq_printf(m, "%s\n", workbuffer); } - memset(workbuffer, 0, SPLPAR_MAXLENGTH); - idx++; /* skip the comma */ + memset(workbuffer, 0, workbuf_size); + if (idx < splpar_strlen) + idx++; /* skip the comma */ w_idx =3D 0; } else if (local_buffer[idx] =3D=3D '=3D') { /* code here to replace workbuffer contents --=20 2.50.1 (Apple Git-155)