Acked-by: Eli Cohen <[email protected]> BTW, vdpa_sim has the same bug.
-----Original Message----- From: Dan Carpenter <[email protected]> Sent: Saturday, August 8, 2020 12:33 PM To: Michael S. Tsirkin <[email protected]>; Eli Cohen <[email protected]> Cc: Jason Wang <[email protected]>; Parav Pandit <[email protected]>; [email protected]; [email protected]; [email protected] Subject: [PATCH] vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config() There is a pointer math bug here so if "offset" is non-zero then this will copy memory from beyond the end of the array. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Dan Carpenter <[email protected]> --- drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c index 3ec44a4f0e45..9d1637cf772e 100644 --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c @@ -1758,7 +1758,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device *vdev, unsigned int offset, struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev); if (offset + len < sizeof(struct virtio_net_config)) - memcpy(buf, &ndev->config + offset, len); + memcpy(buf, (u8 *)&ndev->config + offset, len); } static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int offset, const void *buf, -- 2.27.0
