github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ebbbc5fea3
linux/drivers
History
Dan Carpenter ebbbc5fea3 vduse: check that offset is within bounds in get_config() 
commit dc1db0060c upstream.

This condition checks "len" but it does not check "offset" and that
could result in an out of bounds read if "offset > dev->config_size".
The problem is that since both variables are unsigned the
"dev->config_size - offset" subtraction would result in a very high
unsigned value.

I think these checks might not be necessary because "len" and "offset"
are supposed to already have been validated using the
vhost_vdpa_config_validate() function.  But I do not know the code
perfectly, and I like to be safe.

Fixes: c8a6153b6c ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211208150956.GA29160@kili
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-22 09:32:36 +01:00
..
accessibility
acpi ACPI: CPPC: Add NULL pointer check to cppc_get_perf() 2021-12-01 09:04:38 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:13:31 +01:00
android binder: use wake_up_pollfree() 2021-12-14 10:57:15 +01:00
ata libata: add horkage for ASMedia 1092 2021-12-14 10:57:15 +01:00
atm
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 19:17:02 +01:00
base firmware_loader: fix pre-allocated buf built-in firmware use 2021-11-25 09:48:27 +01:00
bcma Driver core update for 5.15-rc1 2021-09-01 08:44:42 -07:00
block loop: Use pr_warn_once() for loop_control_remove() warning 2021-12-17 10:30:15 +01:00
bluetooth Bluetooth: btusb: Add support for TP-Link UB500 Adapter 2021-11-21 13:44:13 +01:00
bus bus: mhi: core: Add support for forced PM resume 2021-12-14 10:57:22 +01:00
cdrom
char parisc/agp: Annotate parisc agp init functions with __init 2021-12-17 10:30:15 +01:00
clk clk: qcom: sm6125-gcc: Swap ops of ice and apps on sdcc1 2021-12-17 10:30:13 +01:00
clocksource clocksource/drivers/dw_apb_timer_of: Fix probe failure 2021-12-14 10:57:23 +01:00
comedi comedi: vmk80xx: fix bulk and interrupt message timeouts 2021-11-12 15:05:51 +01:00
connector
counter
cpufreq cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink() 2021-12-08 09:04:42 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 19:16:29 +01:00
crypto crypto: octeontx2 - set assoclen in aead_do_fallback() 2021-11-18 19:16:33 +01:00
cxl cxl/pci: Fix NULL vs ERR_PTR confusion 2021-11-18 19:16:04 +01:00
dax libnvdimm for v5.15 2021-09-09 11:39:57 -07:00
dca
devfreq devfreq: use HZ macros 2021-09-08 11:50:26 -07:00
dio
dma dmaengine: remove debugfs #ifdef 2021-11-25 09:48:41 +01:00
dma-buf dma-buf: system_heap: Use 'for_each_sgtable_sg' in pages free flow 2021-12-08 09:04:42 +01:00
edac EDAC/amd64: Handle three rank interleaving mode 2021-11-18 19:16:30 +01:00
eisa
extcon
firewire FireWire (IEEE 1394) subsystem updates: 2021-09-11 09:47:33 -07:00
firmware firmware: arm_scpi: Fix string overflow in SCPI genpd driver 2021-12-22 09:32:35 +01:00
fpga fpga: ice40-spi: Add SPI device ID table 2021-09-27 14:00:41 -07:00
fsi
gnss
gpio gpio: rockchip: needs GENERIC_IRQ_CHIP to fix build errors 2021-11-25 09:48:36 +01:00
gpu drm/amdkfd: process_info lock not needed for svm 2021-12-17 10:30:16 +01:00
greybus
hid HID: Ignore battery for Elan touchscreen on Asus UX550VE 2021-12-14 10:57:06 +01:00
hsi
hv Drivers: hv: balloon: Use VMBUS_RING_SIZE() wrapper for dm_ring_size 2021-11-25 09:48:46 +01:00
hwmon hwmon: (corsair-psu) fix plain integer used as NULL pointer 2021-12-17 10:30:12 +01:00
hwspinlock
hwtracing coresight: trbe: Defer the probe on offline CPUs 2021-11-18 19:16:06 +01:00
i2c i2c: rk3x: Handle a spurious start completion interrupt flag 2021-12-17 10:30:15 +01:00
i3c
idle
iio iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove 2021-12-14 10:57:21 +01:00
infiniband RDMA/irdma: Don't arm the CQ more than two times if no CE for this CQ 2021-12-17 10:30:14 +01:00
input Input: st1232 - increase "wait ready" timeout 2021-11-18 19:17:01 +01:00
interconnect interconnect: qcom: sdm660: Add missing a2noc qos clocks 2021-09-13 15:49:55 +03:00
iommu iommu/amd: Clarify AMD IOMMUv2 initialization messages 2021-12-01 09:04:55 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-09-27 17:38:49 +02:00
irqchip irqchip: nvic: Fix offset for Interrupt Priority Offsets 2021-12-14 10:57:23 +01:00
isdn mISDN: Fix return values of the probe function 2021-10-19 13:09:28 +01:00
leds leds: pca955x: Switch to i2c probe_new 2021-08-20 11:00:08 +02:00
macintosh memblock: introduce saner 'memblock_free_ptr()' interface 2021-09-14 13:23:22 -07:00
mailbox mailbox: mtk-cmdq: Fix local clock ID usage 2021-11-18 19:16:35 +01:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-14 11:22:26 +02:00
md md: fix update super 1.0 on rdev size change 2021-12-14 10:57:14 +01:00
media media: v4l2-core: fix VIDIOC_DQEVENT handling on non-x86 2021-12-01 09:04:45 +01:00
memory memory: tegra20-emc: Add runtime dependency on devfreq governor module 2021-11-25 09:48:30 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 19:16:32 +01:00
message
mfd mfd: dln2: Add cell for initializing DLN2 ADC 2021-11-18 19:17:17 +01:00
misc misc: fastrpc: fix improper packet size calculation 2021-12-14 10:57:23 +01:00
mmc mmc: renesas_sdhi: initialize variable properly when tuning 2021-12-14 10:57:14 +01:00
most most: fix control-message timeouts 2021-11-18 19:16:08 +01:00
mtd mtd: rawnand: Fix nand_choose_best_timings() on unsupported interface 2021-12-17 10:30:13 +01:00
mux
net net/mlx4_en: Update reported link modes for 1/10G 2021-12-17 10:30:15 +01:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-18 19:17:10 +01:00
ntb Bug fixes and clean-ups for Linux v5.15 2021-09-07 13:05:02 -07:00
nubus
nvdimm nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned 2021-11-18 19:17:07 +01:00
nvme nvmet: use IOCB_NOWAIT only if the filesystem supports it 2021-12-01 09:04:52 +01:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-13 15:09:58 +02:00
of of: unittest: fix EXPECT text for gpio hog errors 2021-11-18 19:16:45 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 19:17:00 +01:00
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-09 12:44:31 +02:00
parport parisc architecture updates for kernel 5.15: 2021-09-02 13:16:00 -07:00
pci Revert "PCI: aardvark: Fix support for PCI_ROM_ADDRESS1 on emulated bridge" 2021-12-14 10:57:18 +01:00
pcmcia
perf KVM: arm64: Fix PMU probe ordering 2021-09-20 12:43:34 +01:00
phy phy: Sparx5 Eth SerDes: Fix return value check in sparx5_serdes_probe() 2021-11-18 19:16:56 +01:00
pinctrl pinctrl: qcom: fix unmet dependencies on GPIOLIB for GPIOLIB_IRQCHIP 2021-12-08 09:04:38 +01:00
platform platform/x86: amd-pmc: Fix s2idle failures on certain AMD laptops 2021-12-14 10:57:08 +01:00
pnp
power power: supply: bq27xxx: Fix kernel crash on IRQ handler register error 2021-11-18 19:16:58 +01:00
powercap powercap: Add Power Limit4 support for Alder Lake SoC 2021-08-25 20:12:16 +02:00
pps
ps3
ptp ptp: ocp: Fix a couple NULL vs IS_ERR() checks 2021-11-25 09:48:40 +01:00
pwm pwm: mtk-disp: Implement atomic API .get_state() 2021-09-02 22:27:46 +02:00
rapidio
ras
regulator regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled 2021-11-18 19:15:57 +01:00
remoteproc remoteproc: imx_rproc: Fix rsc-table name 2021-11-18 19:17:18 +01:00
reset reset: tegra-bpmp: Revert Handle errors in BPMP response 2021-12-22 09:32:33 +01:00
rpmsg
rtc rtc: rv3032: fix error handling in rv3032_clkout_set_rate() 2021-11-18 19:17:01 +01:00
s390 s390/cio: make ccw_device_dma_* more robust 2021-11-18 19:17:18 +01:00
sbus
scsi scsi: scsi_debug: Fix buffer size of REPORT ZONES command 2021-12-14 10:57:16 +01:00
sh maple: fix wrong return value of maple_bus_init(). 2021-11-25 09:48:31 +01:00
siox
slimbus Driver core update for 5.15-rc1 2021-09-01 08:44:42 -07:00
soc soc: fsl: dpaa2-console: free buffer before returning from dpaa2_console_read 2021-11-18 19:17:02 +01:00
soundwire soundwire: bus: stop dereferencing invalid slave pointer 2021-11-18 19:16:54 +01:00
spi spi: fix use-after-free of the add_lock mutex 2021-11-25 09:48:46 +01:00
spmi
ssb
staging staging: most: dim2: use device release method 2021-12-17 10:30:16 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-25 09:48:29 +01:00
tc
tee tee: optee: Fix missing devices unregister during optee_remove 2021-10-12 13:24:39 +02:00
thermal thermal: int340x: Fix VCoRefLow MMIO bit offset for TGL 2021-12-14 10:57:14 +01:00
thunderbolt thunderbolt: build kunit tests without structleak plugin 2021-10-06 17:53:49 -06:00
tty Revert "tty: serial: fsl_lpuart: drop earlycon entry for i.MX8QXP" 2021-12-17 10:30:15 +01:00
uio
usb xhci: avoid race between disable slot command and host runtime suspend 2021-12-14 10:57:20 +01:00
vdpa vduse: check that offset is within bounds in get_config() 2021-12-22 09:32:36 +01:00
vfio vfio/pci: add missing identifier name in argument of function prototype 2021-09-23 14:12:36 -06:00
vhost vhost/vsock: fix incorrect used length reported to the guest 2021-12-01 09:04:55 +01:00
video vgacon: Propagate console boot parameters before calling `vc_resize' 2021-12-08 09:04:55 +01:00
virt
virtio virtio_ring: check desc == NULL when using indirect with packed 2021-11-18 19:16:58 +01:00
visorbus
vlynq
vme
w1
watchdog ar7: fix kernel builds for compiler test 2021-11-18 19:17:03 +01:00
xen xen: detect uninitialized xenbus in xenbus_init 2021-12-01 09:04:42 +01:00
zorro
Kconfig firmware: include drivers/firmware/Kconfig unconditionally 2021-10-07 16:51:26 +02:00
Makefile remove the lightnvm subsystem 2021-08-14 15:54:09 -06:00