| Message ID | 20211125051328.3359902-1-zhenyuw@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | vfio/pci: Fix OpRegion read | expand |
On Thu, 25 Nov 2021 13:13:28 +0800 Zhenyu Wang <zhenyuw@linux.intel.com> wrote: > This is to fix incorrect pointer arithmetic which caused wrong > OpRegion version returned, then VM driver got error to get wanted > VBT block. We need to be safe to return correct data, so force > pointer type for byte access. > > Fixes: 49ba1a2976c8 ("vfio/pci: Add OpRegion 2.0+ Extended VBT support.") > Cc: Colin Xu <colin.xu@gmail.com> > Cc: Alex Williamson <alex.williamson@redhat.com> > Cc: Dmitry Torokhov <dtor@chromium.org> > Cc: "Xu, Terrence" <terrence.xu@intel.com> > Cc: "Gao, Fred" <fred.gao@intel.com> > Acked-by: Colin Xu <colin.xu@gmail.com> > Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> > --- > drivers/vfio/pci/vfio_pci_igd.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/vfio/pci/vfio_pci_igd.c b/drivers/vfio/pci/vfio_pci_igd.c > index 56cd551e0e04..dad6eeed5e80 100644 > --- a/drivers/vfio/pci/vfio_pci_igd.c > +++ b/drivers/vfio/pci/vfio_pci_igd.c > @@ -98,7 +98,7 @@ static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev, > version = cpu_to_le16(0x0201); > > if (igd_opregion_shift_copy(buf, &off, > - &version + (pos - OPREGION_VERSION), > + (u8 *)&version + (pos - OPREGION_VERSION), > &pos, &remaining, bytes)) > return -EFAULT; > } > @@ -121,7 +121,7 @@ static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev, > OPREGION_SIZE : 0); > > if (igd_opregion_shift_copy(buf, &off, > - &rvda + (pos - OPREGION_RVDA), > + (u8 *)&rvda + (pos - OPREGION_RVDA), > &pos, &remaining, bytes)) > return -EFAULT; > } Applied to vfio for-linus branch for v5.16. Thanks, Alex
diff --git a/drivers/vfio/pci/vfio_pci_igd.c b/drivers/vfio/pci/vfio_pci_igd.c index 56cd551e0e04..dad6eeed5e80 100644 --- a/drivers/vfio/pci/vfio_pci_igd.c +++ b/drivers/vfio/pci/vfio_pci_igd.c @@ -98,7 +98,7 @@ static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev, version = cpu_to_le16(0x0201); if (igd_opregion_shift_copy(buf, &off, - &version + (pos - OPREGION_VERSION), + (u8 *)&version + (pos - OPREGION_VERSION), &pos, &remaining, bytes)) return -EFAULT; } @@ -121,7 +121,7 @@ static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev, OPREGION_SIZE : 0); if (igd_opregion_shift_copy(buf, &off, - &rvda + (pos - OPREGION_RVDA), + (u8 *)&rvda + (pos - OPREGION_RVDA), &pos, &remaining, bytes)) return -EFAULT; }
This is to fix incorrect pointer arithmetic which caused wrong OpRegion version returned, then VM driver got error to get wanted VBT block. We need to be safe to return correct data, so force pointer type for byte access. Fixes: 49ba1a2976c8 ("vfio/pci: Add OpRegion 2.0+ Extended VBT support.") Cc: Colin Xu <colin.xu@gmail.com> Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Dmitry Torokhov <dtor@chromium.org> Cc: "Xu, Terrence" <terrence.xu@intel.com> Cc: "Gao, Fred" <fred.gao@intel.com> Acked-by: Colin Xu <colin.xu@gmail.com> Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> --- drivers/vfio/pci/vfio_pci_igd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)