Acked-by: Eli Cohen <e...@nvidia.com>
BTW, vdpa_sim has the same bug.
-----Original Message-----
From: Dan Carpenter <dan.carpen...@oracle.com>
Sent: Saturday, August 8, 2020 12:33 PM
To: Michael S. Tsirkin <m...@redhat.com>; Eli Cohen <e...@mellanox.com>
Cc: Jason Wang <jasow...@redhat.com>; Parav Pandit <pa...@mellanox.com>;
virtualizat...@lists.linux-foundation.org; linux-kernel@vger.kernel.org;
kernel-janit...@vger.kernel.org
Subject: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config()
There is a pointer math bug here so if "offset" is non-zero then this will copy
memory from beyond the end of the array.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 3ec44a4f0e45..9d1637cf772e 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1758,7 +1758,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
if (offset + len < sizeof(struct virtio_net_config))
- memcpy(buf, &ndev->config + offset, len);
+ memcpy(buf, (u8 *)&ndev->config + offset, len);
}
static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int
offset, const void *buf,
--
2.27.0
