diff options
author | Dan Carpenter <error27@gmail.com> | 2011-06-03 00:45:28 -0400 |
---|---|---|
committer | Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> | 2011-06-03 16:04:02 -0400 |
commit | f124c6ae59e193705c9ddac57684d50006d710e6 (patch) | |
tree | 9bd662e1f2ee7c937b1b184f371ef1c603018d02 /arch/x86/xen/multicalls.c | |
parent | e5ac0bda96c495321dbad9b57a4b1a93a5a72e7f (diff) |
xen: off by one errors in multicalls.c
b->args[] has MC_ARGS elements, so the comparison here should be
">=" instead of ">". Otherwise we read past the end of the array
one space.
CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Diffstat (limited to 'arch/x86/xen/multicalls.c')
-rw-r--r-- | arch/x86/xen/multicalls.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/arch/x86/xen/multicalls.c b/arch/x86/xen/multicalls.c index 8bff7e7c290b..1b2b73ff0a6e 100644 --- a/arch/x86/xen/multicalls.c +++ b/arch/x86/xen/multicalls.c | |||
@@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args) | |||
189 | unsigned argidx = roundup(b->argidx, sizeof(u64)); | 189 | unsigned argidx = roundup(b->argidx, sizeof(u64)); |
190 | 190 | ||
191 | BUG_ON(preemptible()); | 191 | BUG_ON(preemptible()); |
192 | BUG_ON(b->argidx > MC_ARGS); | 192 | BUG_ON(b->argidx >= MC_ARGS); |
193 | 193 | ||
194 | if (b->mcidx == MC_BATCH || | 194 | if (b->mcidx == MC_BATCH || |
195 | (argidx + args) > MC_ARGS) { | 195 | (argidx + args) >= MC_ARGS) { |
196 | mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS); | 196 | mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS); |
197 | xen_mc_flush(); | 197 | xen_mc_flush(); |
198 | argidx = roundup(b->argidx, sizeof(u64)); | 198 | argidx = roundup(b->argidx, sizeof(u64)); |
@@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args) | |||
206 | ret.args = &b->args[argidx]; | 206 | ret.args = &b->args[argidx]; |
207 | b->argidx = argidx + args; | 207 | b->argidx = argidx + args; |
208 | 208 | ||
209 | BUG_ON(b->argidx > MC_ARGS); | 209 | BUG_ON(b->argidx >= MC_ARGS); |
210 | return ret; | 210 | return ret; |
211 | } | 211 | } |
212 | 212 | ||
@@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size) | |||
216 | struct multicall_space ret = { NULL, NULL }; | 216 | struct multicall_space ret = { NULL, NULL }; |
217 | 217 | ||
218 | BUG_ON(preemptible()); | 218 | BUG_ON(preemptible()); |
219 | BUG_ON(b->argidx > MC_ARGS); | 219 | BUG_ON(b->argidx >= MC_ARGS); |
220 | 220 | ||
221 | if (b->mcidx == 0) | 221 | if (b->mcidx == 0) |
222 | return ret; | 222 | return ret; |
@@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size) | |||
224 | if (b->entries[b->mcidx - 1].op != op) | 224 | if (b->entries[b->mcidx - 1].op != op) |
225 | return ret; | 225 | return ret; |
226 | 226 | ||
227 | if ((b->argidx + size) > MC_ARGS) | 227 | if ((b->argidx + size) >= MC_ARGS) |
228 | return ret; | 228 | return ret; |
229 | 229 | ||
230 | ret.mc = &b->entries[b->mcidx - 1]; | 230 | ret.mc = &b->entries[b->mcidx - 1]; |
231 | ret.args = &b->args[b->argidx]; | 231 | ret.args = &b->args[b->argidx]; |
232 | b->argidx += size; | 232 | b->argidx += size; |
233 | 233 | ||
234 | BUG_ON(b->argidx > MC_ARGS); | 234 | BUG_ON(b->argidx >= MC_ARGS); |
235 | return ret; | 235 | return ret; |
236 | } | 236 | } |
237 | 237 | ||