On 06/02/2011 09:45 PM, Dan Carpenter wrote: > b->args[] has MC_ARGS elements, so the comparison here should be > ">=" instead of ">". Otherwise we read past the end of the array > one space. Yeah, looks like a correct fix. Fortunately I don't think anything currently hits that path in practice, though there are some pending patches which will exercise it more. Thanks, J > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> > --- > This is a static checker patch and I haven't tested it. Please > review carefully. > > diff --git a/arch/x86/xen/multicalls.c b/arch/x86/xen/multicalls.c > index 8bff7e7..1b2b73f 100644 > --- a/arch/x86/xen/multicalls.c > +++ b/arch/x86/xen/multicalls.c > @@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args) > unsigned argidx = roundup(b->argidx, sizeof(u64)); > > BUG_ON(preemptible()); > - BUG_ON(b->argidx > MC_ARGS); > + BUG_ON(b->argidx >= MC_ARGS); > > if (b->mcidx == MC_BATCH || > - (argidx + args) > MC_ARGS) { > + (argidx + args) >= MC_ARGS) { > mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS); > xen_mc_flush(); > argidx = roundup(b->argidx, sizeof(u64)); > @@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args) > ret.args = &b->args[argidx]; > b->argidx = argidx + args; > > - BUG_ON(b->argidx > MC_ARGS); > + BUG_ON(b->argidx >= MC_ARGS); > return ret; > } > > @@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size) > struct multicall_space ret = { NULL, NULL }; > > BUG_ON(preemptible()); > - BUG_ON(b->argidx > MC_ARGS); > + BUG_ON(b->argidx >= MC_ARGS); > > if (b->mcidx == 0) > return ret; > @@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size) > if (b->entries[b->mcidx - 1].op != op) > return ret; > > - if ((b->argidx + size) > MC_ARGS) > + if ((b->argidx + size) >= MC_ARGS) > return ret; > > ret.mc = &b->entries[b->mcidx - 1]; > ret.args = &b->args[b->argidx]; > b->argidx += size; > > - BUG_ON(b->argidx > MC_ARGS); > + BUG_ON(b->argidx >= MC_ARGS); > return ret; > } > > _______________________________________________ > Virtualization mailing list > Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx > https://lists.linux-foundation.org/mailman/listinfo/virtualization > _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/virtualization