[PATCH 1/2] x86/PCI: Fix a sanity check in pirq_convert_irt_table()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


We compare the size in bytes of a struct (and its ending flexible array)
with the number of elements in a flexible array.

This is wrong and "ir->size < ir->used" is likely to be always false.

Compute the number of possible entries instead, as already done in other
places, and compare it to the number of used entries.

Fixes: b584db0c84db ("x86/PCI: Add $IRT PIRQ routing table support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>

/!\  This patch is speculative. Review with care  /!\

I'm not sure that this sanity check is needed at all.

If 'used' was the size of the flexible array, I think it would simplify
the code in other places. It will also help scripts when __counted_by macro
will be added.
See [1].

[1]: https://lore.kernel.org/all/6453f739.170a0220.62695.7785@xxxxxxxxxxxxx/
 arch/x86/pci/irq.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
index a498b847d740..e29b487cc069 100644
--- a/arch/x86/pci/irq.c
+++ b/arch/x86/pci/irq.c
@@ -128,12 +128,16 @@ static inline struct irq_routing_table *pirq_convert_irt_table(u8 *addr,
 	struct irt_routing_table *ir;
 	struct irq_routing_table *rt;
+	int entries;
 	u16 size;
 	u8 sum;
 	int i;
 	ir = (struct irt_routing_table *)addr;
-	if (ir->signature != IRT_SIGNATURE || !ir->used || ir->size < ir->used)
+	entries = (ir->size - sizeof(struct irq_routing_table)) /
+		sizeof(struct irq_info);
+	if (ir->signature != IRT_SIGNATURE || !ir->used || entries < ir->used)
 		return NULL;
 	size = sizeof(*ir) + ir->used * sizeof(ir->slots[0]);

[Index of Archives]     [DMA Engine]     [Linux Coverity]     [Linux USB]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Greybus]

  Powered by Linux