On Fri, 22 Nov 2019 00:54:20 +0000, Haiyang Zhang wrote: > > > > > > - tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table + > > > - nvmsg->msg.v5_msg.send_table.offset); > > > + if (offset > msglen - count * sizeof(u32)) { > > > > Can't this underflow now? What if msglen is small? > msglen came from the vmbus container message. We trust it to be big > enough for the data region. Ok, it looked like it was read from some descriptor which could potentially be controlled by "the other side" but I trust your judgement :) Both patches LGTM, then.