summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2009-07-31 00:03:43 +0200
committerRusty Russell <rusty@rustcorp.com.au>2009-07-30 08:33:43 +0200
commit8ef562d112c82ec539775698f8b63ac5ec1bd766 (patch)
tree4bf0997d89cb138f8d061c948dca6286ab368973
parentlguest: dereferencing freed mem in add_eventfd() (diff)
downloadlinux-8ef562d112c82ec539775698f8b63ac5ec1bd766.tar.xz
linux-8ef562d112c82ec539775698f8b63ac5ec1bd766.zip
lguest: fix descriptor corruption in example launcher
1d589bb16b825b3a7b4edd34d997f1f1f953033d "Add serial number support for virtio_blk, V4a" extended 'struct virtio_blk_config' to 536 bytes. Lguest and S/390 both use an 8 bit value for the feature length, and this change broke them (if the code is naive). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: John Cooper <john.cooper@redhat.com> Cc: Christian Borntraeger <borntraeger@de.ibm.com>
-rw-r--r--Documentation/lguest/lguest.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/Documentation/lguest/lguest.c b/Documentation/lguest/lguest.c
index 9ebcd6ef361b..45d7d6dcae7a 100644
--- a/Documentation/lguest/lguest.c
+++ b/Documentation/lguest/lguest.c
@@ -1105,6 +1105,9 @@ static void set_config(struct device *dev, unsigned len, const void *conf)
/* Copy in the config information, and store the length. */
memcpy(device_config(dev), conf, len);
dev->desc->config_len = len;
+
+ /* Size must fit in config_len field (8 bits)! */
+ assert(dev->desc->config_len == len);
}
/* This routine does all the creation and setup of a new device, including
@@ -1515,7 +1518,8 @@ static void setup_block_file(const char *filename)
add_feature(dev, VIRTIO_BLK_F_SEG_MAX);
conf.seg_max = cpu_to_le32(VIRTQUEUE_NUM - 2);
- set_config(dev, sizeof(conf), &conf);
+ /* Don't try to put whole struct: we have 8 bit limit. */
+ set_config(dev, offsetof(struct virtio_blk_config, geometry), &conf);
verbose("device %u: virtblock %llu sectors\n",
++devices.device_num, le64_to_cpu(conf.capacity));