evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

xen: off by one errors in multicalls.c

Browse source 
b->args[] has MC_ARGS elements, so the comparison here should be
">=" instead of ">".  Otherwise we read past the end of the array
one space.

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
This commit is contained in:
Dan Carpenter 2011-06-03 07:45:28 +03:00 committed by Konrad Rzeszutek Wilk
parent e5ac0bda96
commit f124c6ae59
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
arch/x86/xen/multicalls.c
View file

@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args)
unsigned argidx = roundup(b->argidx, sizeof(u64)); unsigned argidx = roundup(b->argidx, sizeof(u64));
BUG_ON(preemptible()); BUG_ON(preemptible());
BUG_ON(b->argidx > MC_ARGS); BUG_ON(b->argidx >= MC_ARGS);
if (b->mcidx == MC_BATCH || if (b->mcidx == MC_BATCH ||
(argidx + args) > MC_ARGS) { (argidx + args) >= MC_ARGS) {
mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS); mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS);
xen_mc_flush(); xen_mc_flush();
argidx = roundup(b->argidx, sizeof(u64)); argidx = roundup(b->argidx, sizeof(u64));
@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args)
ret.args = &b->args[argidx]; ret.args = &b->args[argidx];
b->argidx = argidx + args; b->argidx = argidx + args;
BUG_ON(b->argidx > MC_ARGS); BUG_ON(b->argidx >= MC_ARGS);
return ret; return ret;
} }
@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size)
struct multicall_space ret = { NULL, NULL }; struct multicall_space ret = { NULL, NULL };
BUG_ON(preemptible()); BUG_ON(preemptible());
BUG_ON(b->argidx > MC_ARGS); BUG_ON(b->argidx >= MC_ARGS);
if (b->mcidx == 0) if (b->mcidx == 0)
return ret; return ret;
@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size)
if (b->entries[b->mcidx - 1].op != op) if (b->entries[b->mcidx - 1].op != op)
return ret; return ret;
if ((b->argidx + size) > MC_ARGS) if ((b->argidx + size) >= MC_ARGS)
return ret; return ret;
ret.mc = &b->entries[b->mcidx - 1]; ret.mc = &b->entries[b->mcidx - 1];
ret.args = &b->args[b->argidx]; ret.args = &b->args[b->argidx];
b->argidx += size; b->argidx += size;
BUG_ON(b->argidx > MC_ARGS); BUG_ON(b->argidx >= MC_ARGS);
return ret; return ret;
} }