tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
Pull virtio fixes from Michael Tsirkin:
"Misc virtio and vdpa bugfixes"
* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
vdpa: Consider device id larger than 31
virtio/vsock: fix the transport to work with VMADDR_CID_ANY
virtio_ring: Fix querying of maximum DMA mapping size for virtio device
virtio: always enter drivers/virtio/
vduse: check that offset is within bounds in get_config()
vdpa: check that offsets are within bounds
vduse: fix memory corruption in vduse_dev_ioctl()
+11
-8
+1
-2
drivers/Makefile
+1
-2
drivers/Makefile
+2
-1
drivers/vdpa/vdpa.c
+2
-1
drivers/vdpa/vdpa.c
+4
-2
drivers/vdpa/vdpa_user/vduse_dev.c
+4
-2
drivers/vdpa/vdpa_user/vduse_dev.c
···
655
655
{
656
656
struct vduse_dev *dev = vdpa_to_vduse(vdpa);
657
657
658
-
if (len > dev->config_size - offset)
658
+
if (offset > dev->config_size ||
659
+
len > dev->config_size - offset)
659
660
return;
660
661
661
662
memcpy(buf, dev->config + offset, len);
···
976
975
break;
977
976
978
977
ret = -EINVAL;
979
-
if (config.length == 0 ||
978
+
if (config.offset > dev->config_size ||
979
+
config.length == 0 ||
980
980
config.length > dev->config_size - config.offset)
981
981
break;
982
982
+1
-1
drivers/vhost/vdpa.c
+1
-1
drivers/vhost/vdpa.c
+1
-1
drivers/virtio/virtio_ring.c
+1
-1
drivers/virtio/virtio_ring.c
+2
-1
net/vmw_vsock/virtio_transport_common.c
+2
-1
net/vmw_vsock/virtio_transport_common.c
···
1299
1299
space_available = virtio_transport_space_update(sk, pkt);
1300
1300
1301
1301
/* Update CID in case it has changed after a transport reset event */
1302
-
vsk->local_addr.svm_cid = dst.svm_cid;
1302
+
if (vsk->local_addr.svm_cid != VMADDR_CID_ANY)
1303
+
vsk->local_addr.svm_cid = dst.svm_cid;
1303
1304
1304
1305
if (space_available)
1305
1306
sk->sk_write_space(sk);