On Mon, 21 Jan 2019 09:54:08 -0500 Farhan Ali <alifm@xxxxxxxxxxxxx> wrote: > When trying to calculate the length of a ccw chain, we assume > there are ccws after a TIC. This can lead to overcounting and > copying garbage data from guest memory. > > Signed-off-by: Farhan Ali <alifm@xxxxxxxxxxxxx> > --- > drivers/s390/cio/vfio_ccw_cp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c > index 17a1ee3..a820a21 100644 > --- a/drivers/s390/cio/vfio_ccw_cp.c > +++ b/drivers/s390/cio/vfio_ccw_cp.c > @@ -392,7 +392,7 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp) > return -EOPNOTSUPP; > } > > - if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw))) > + if (!ccw_is_chain(ccw)) > break; > > ccw++; This looks like the right thing to do.
