Skip to content

Commit fe82203

Browse files
torvaldstorvalds
committed
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
Pull virtio fixes from Michael Tsirkin: "Fixes to multiple issues in virtio. Most notably a regression fix for crashes reported by Fedora users. Hibernate is still reportedly broken, working on it" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_balloon: prevent uninitialized variable use virtio-balloon: use actual number of stats for stats queue buffers virtio_balloon: init 1st buffer in stats vq virtio_pci: fix out of bound access for msix_names
2 parents 050fc52 + f0bb2d5 commit fe82203

File tree

2 files changed

+18
-10
lines changed

2 files changed

+18
-10
lines changed

drivers/virtio/virtio_balloon.c

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -242,30 +242,34 @@ static inline void update_stat(struct virtio_balloon *vb, int idx,
242242

243243
#define pages_to_bytes(x) ((u64)(x) << PAGE_SHIFT)
244244

245-
static void update_balloon_stats(struct virtio_balloon *vb)
245+
static unsigned int update_balloon_stats(struct virtio_balloon *vb)
246246
{
247247
unsigned long events[NR_VM_EVENT_ITEMS];
248248
struct sysinfo i;
249-
int idx = 0;
249+
unsigned int idx = 0;
250250
long available;
251251

252252
all_vm_events(events);
253253
si_meminfo(&i);
254254

255255
available = si_mem_available();
256256

257+
#ifdef CONFIG_VM_EVENT_COUNTERS
257258
update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_IN,
258259
pages_to_bytes(events[PSWPIN]));
259260
update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_OUT,
260261
pages_to_bytes(events[PSWPOUT]));
261262
update_stat(vb, idx++, VIRTIO_BALLOON_S_MAJFLT, events[PGMAJFAULT]);
262263
update_stat(vb, idx++, VIRTIO_BALLOON_S_MINFLT, events[PGFAULT]);
264+
#endif
263265
update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMFREE,
264266
pages_to_bytes(i.freeram));
265267
update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMTOT,
266268
pages_to_bytes(i.totalram));
267269
update_stat(vb, idx++, VIRTIO_BALLOON_S_AVAIL,
268270
pages_to_bytes(available));
271+
272+
return idx;
269273
}
270274

271275
/*
@@ -291,14 +295,14 @@ static void stats_handle_request(struct virtio_balloon *vb)
291295
{
292296
struct virtqueue *vq;
293297
struct scatterlist sg;
294-
unsigned int len;
298+
unsigned int len, num_stats;
295299

296-
update_balloon_stats(vb);
300+
num_stats = update_balloon_stats(vb);
297301

298302
vq = vb->stats_vq;
299303
if (!virtqueue_get_buf(vq, &len))
300304
return;
301-
sg_init_one(&sg, vb->stats, sizeof(vb->stats));
305+
sg_init_one(&sg, vb->stats, sizeof(vb->stats[0]) * num_stats);
302306
virtqueue_add_outbuf(vq, &sg, 1, vb, GFP_KERNEL);
303307
virtqueue_kick(vq);
304308
}
@@ -423,13 +427,16 @@ static int init_vqs(struct virtio_balloon *vb)
423427
vb->deflate_vq = vqs[1];
424428
if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_STATS_VQ)) {
425429
struct scatterlist sg;
430+
unsigned int num_stats;
426431
vb->stats_vq = vqs[2];
427432

428433
/*
429434
* Prime this virtqueue with one buffer so the hypervisor can
430435
* use it to signal us later (it can't be broken yet!).
431436
*/
432-
sg_init_one(&sg, vb->stats, sizeof vb->stats);
437+
num_stats = update_balloon_stats(vb);
438+
439+
sg_init_one(&sg, vb->stats, sizeof(vb->stats[0]) * num_stats);
433440
if (virtqueue_add_outbuf(vb->stats_vq, &sg, 1, vb, GFP_KERNEL)
434441
< 0)
435442
BUG();

drivers/virtio/virtio_pci_common.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
147147
{
148148
struct virtio_pci_device *vp_dev = to_vp_device(vdev);
149149
const char *name = dev_name(&vp_dev->vdev.dev);
150-
int i, err = -ENOMEM, allocated_vectors, nvectors;
150+
int i, j, err = -ENOMEM, allocated_vectors, nvectors;
151151
unsigned flags = PCI_IRQ_MSIX;
152152
bool shared = false;
153153
u16 msix_vec;
@@ -212,7 +212,7 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
212212
if (!vp_dev->msix_vector_map)
213213
goto out_disable_config_irq;
214214

215-
allocated_vectors = 1; /* vector 0 is the config interrupt */
215+
allocated_vectors = j = 1; /* vector 0 is the config interrupt */
216216
for (i = 0; i < nvqs; ++i) {
217217
if (!names[i]) {
218218
vqs[i] = NULL;
@@ -236,18 +236,19 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
236236
continue;
237237
}
238238

239-
snprintf(vp_dev->msix_names[i + 1],
239+
snprintf(vp_dev->msix_names[j],
240240
sizeof(*vp_dev->msix_names), "%s-%s",
241241
dev_name(&vp_dev->vdev.dev), names[i]);
242242
err = request_irq(pci_irq_vector(vp_dev->pci_dev, msix_vec),
243243
vring_interrupt, IRQF_SHARED,
244-
vp_dev->msix_names[i + 1], vqs[i]);
244+
vp_dev->msix_names[j], vqs[i]);
245245
if (err) {
246246
/* don't free this irq on error */
247247
vp_dev->msix_vector_map[i] = VIRTIO_MSI_NO_VECTOR;
248248
goto out_remove_vqs;
249249
}
250250
vp_dev->msix_vector_map[i] = msix_vec;
251+
j++;
251252

252253
/*
253254
* Use a different vector for each queue if they are available,

0 commit comments

Comments
 (0)