[stable] Patch "xen: off by one errors in multicalls.c" has been added to the 2.6.33-longterm tree

Thu, 09 Jun 2011 13:40:20 -0700 

This is a note to let you know that I've just added the patch titled

    xen: off by one errors in multicalls.c

to the 2.6.33-longterm tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.33.git;a=summary

The filename of the patch is:
     xen-off-by-one-errors-in-multicalls.c.patch
and it can be found in the queue-2.6.33 subdirectory.

If you, or anyone else, feels it should not be added to the 2.6.33 longterm 
tree,
please let <[email protected]> know about it.


>From f124c6ae59e193705c9ddac57684d50006d710e6 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <[email protected]>
Date: Fri, 3 Jun 2011 07:45:28 +0300
Subject: xen: off by one errors in multicalls.c

From: Dan Carpenter <[email protected]>

commit f124c6ae59e193705c9ddac57684d50006d710e6 upstream.

b->args[] has MC_ARGS elements, so the comparison here should be
">=" instead of ">".  Otherwise we read past the end of the array
one space.

Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>
Signed-off-by: Jeremy Fitzhardinge <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 arch/x86/xen/multicalls.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/x86/xen/multicalls.c
+++ b/arch/x86/xen/multicalls.c
@@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(si
        unsigned argidx = roundup(b->argidx, sizeof(u64));
 
        BUG_ON(preemptible());
-       BUG_ON(b->argidx > MC_ARGS);
+       BUG_ON(b->argidx >= MC_ARGS);
 
        if (b->mcidx == MC_BATCH ||
-           (argidx + args) > MC_ARGS) {
+           (argidx + args) >= MC_ARGS) {
                mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS);
                xen_mc_flush();
                argidx = roundup(b->argidx, sizeof(u64));
@@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(si
        ret.args = &b->args[argidx];
        b->argidx = argidx + args;
 
-       BUG_ON(b->argidx > MC_ARGS);
+       BUG_ON(b->argidx >= MC_ARGS);
        return ret;
 }
 
@@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_arg
        struct multicall_space ret = { NULL, NULL };
 
        BUG_ON(preemptible());
-       BUG_ON(b->argidx > MC_ARGS);
+       BUG_ON(b->argidx >= MC_ARGS);
 
        if (b->mcidx == 0)
                return ret;
@@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_arg
        if (b->entries[b->mcidx - 1].op != op)
                return ret;
 
-       if ((b->argidx + size) > MC_ARGS)
+       if ((b->argidx + size) >= MC_ARGS)
                return ret;
 
        ret.mc = &b->entries[b->mcidx - 1];
        ret.args = &b->args[b->argidx];
        b->argidx += size;
 
-       BUG_ON(b->argidx > MC_ARGS);
+       BUG_ON(b->argidx >= MC_ARGS);
        return ret;
 }
 


Patches currently in longterm-queue-2.6.33 which might be from 
[email protected] are

/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/xen-off-by-one-errors-in-multicalls.c.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to