Hi Mark,
On Thursday 18 December 2008, Mark McLoughlin wrote:
> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> index 5777196..2330c4b 100644
> --- a/drivers/virtio/virtio_ring.c
> +++ b/drivers/virtio/virtio_ring.c
> @@ -70,6 +73,55 @@ struct vring_virtqueue
>
> #define to_vvq(_vq) container_of(_vq, struct vring_virtqueue, vq)
>
> +/* Set up an indirect table of descriptors and add it to the queue. */
> +static int vring_add_indirect(struct vring_virtqueue *vq,
> + struct scatterlist sg[],
> + unsigned int out,
> + unsigned int in)
> +{
> + struct vring_desc *desc;
> + unsigned head;
> + int i;
> +
> + desc = kmalloc((out + in) * sizeof(struct vring_desc), GFP_ATOMIC);
kmalloc() returns ZERO_SIZE_PTR, if (out + in) == 0
> + if (!desc)
> + return vq->vring.num;
> +
> + /* Transfer entries from the sg list into the indirect page */
> + for (i = 0; i < out; i++) {
> + desc[i].flags = VRING_DESC_F_NEXT;
> + desc[i].addr = sg_phys(sg);
> + desc[i].len = sg->length;
> + desc[i].next = i+1;
> + sg++;
> + }
> + for (; i < (out + in); i++) {
> + desc[i].flags = VRING_DESC_F_NEXT|VRING_DESC_F_WRITE;
> + desc[i].addr = sg_phys(sg);
> + desc[i].len = sg->length;
> + desc[i].next = i+1;
> + sg++;
> + }
> +
> + /* Last one doesn't continue. */
> + desc[i-1].flags &= ~VRING_DESC_F_NEXT;
> + desc[i-1].next = 0;
So this array index can fail (be -1).
Please check and avoid within this function.
Best Regards
Ingo Oeser
_______________________________________________
Virtualization mailing list
Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/virtualization
