On 11.03.2025 13:06, Roger Pau Monne wrote:
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -396,6 +396,13 @@ static int cf_check vmx_pi_update_irte(const struct vcpu
> *v,
> const struct pi_desc *pi_desc = v ? &v->arch.hvm.vmx.pi_desc : NULL;
> struct irq_desc *desc;
> struct msi_desc *msi_desc;
> + /*
> + * vmx_pi_update_irte() relies on the IRTE already being setup, and just
> + * updates the guest vector, but not the other IRTE fields. As such the
> + * contents of msg are not consumed by iommu_update_ire_from_msi(). Even
> + * if not consumed, zero the contents to avoid possible stack leaks.
> + */
> + struct msi_msg msg = {};
What the comment says is true only when pi_desc != NULL. As can be seen in
context above, it can very well be NULL here, though (which isn't to say
that I'm convinced the NULL case is handled correctly here). I'd view it as
more safe anyway if you set msg from msi_desc->msg.
Jan
