From: Alex Williamson <alex.williamson@redhat.com>
To: Eric Auger <eric.auger@redhat.com>
Cc: eric.auger.pro@gmail.com, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, David Hildenbrand <david@redhat.com>
Subject: Re: [PATCH] vfio: fix vfio_info_cap_add/shift
Date: Mon, 21 Nov 2016 13:37:45 -0700 [thread overview]
Message-ID: <20161121133745.31fa7a1e@t450s.home> (raw)
In-Reply-To: <1479709262-4707-1-git-send-email-eric.auger@redhat.com>
On Mon, 21 Nov 2016 07:21:02 +0100
Eric Auger <eric.auger@redhat.com> wrote:
> Capability header next field is an offset relative to the start of
> the INFO buffer. tmp->next is assigned the proper value but iterations
> implemented in vfio_info_cap_add and vfio_info_cap_shift use next
> as an offset between the headers. When coping with multiple capabilities
> this leads to an Oops.
>
> Signed-off-by: Eric Auger <eric.auger@redhat.com>
> ---
> drivers/vfio/vfio.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index d1d70e0..1e838d1 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -1763,7 +1763,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps,
> header->version = version;
>
> /* Add to the end of the capability chain */
> - for (tmp = caps->buf; tmp->next; tmp = (void *)tmp + tmp->next)
> + for (tmp = buf; tmp->next; tmp = buf + tmp->next)
> ; /* nothing */
>
> tmp->next = caps->size;
> @@ -1776,8 +1776,9 @@ EXPORT_SYMBOL_GPL(vfio_info_cap_add);
> void vfio_info_cap_shift(struct vfio_info_cap *caps, size_t offset)
> {
> struct vfio_info_cap_header *tmp;
> + void *buf = (void *)caps->buf;
>
> - for (tmp = caps->buf; tmp->next; tmp = (void *)tmp + tmp->next - offset)
> + for (tmp = buf; tmp->next; tmp = buf + tmp->next - offset)
> tmp->next += offset;
> }
> EXPORT_SYMBOL_GPL(vfio_info_cap_shift);
Thanks, good to get this fixed before we start getting multiple entries
in the chain and expose it via mdev. For that same reason I also don't
see that this needs any sort of stable backport as the existing code
works for the single entries in the tree. Applied to next branch for
4.10 with David's R-b. Thanks,
Alex
prev parent reply other threads:[~2016-11-21 20:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-21 6:21 [PATCH] vfio: fix vfio_info_cap_add/shift Eric Auger
2016-11-21 18:52 ` David Hildenbrand
2016-11-21 20:37 ` Alex Williamson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161121133745.31fa7a1e@t450s.home \
--to=alex.williamson@redhat.com \
--cc=david@redhat.com \
--cc=eric.auger.pro@gmail.com \
--cc=eric.auger@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox