| Message ID | 20240710004150.319105-1-yi.l.liu@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | vfio/pci: Init the count variable in collecting hot-reset devices | expand |
> From: Yi Liu <yi.l.liu@intel.com> > Sent: Wednesday, July 10, 2024 8:42 AM > > The count variable is used without initialization, it results in mistakes > in the device counting and crashes the userspace if the get hot reset info > path is triggered. > > Fixes: f6944d4a0b87 ("vfio/pci: Collect hot-reset devices to local buffer") > Link: https://bugzilla.kernel.org/show_bug.cgi?id=219010 > Reported-by: Žilvinas Žaltiena <zaltys@natrix.lt> > Cc: Beld Zhang <beldzhang@gmail.com> > Signed-off-by: Yi Liu <yi.l.liu@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
On Tue, 9 Jul 2024 17:41:50 -0700 Yi Liu <yi.l.liu@intel.com> wrote: > The count variable is used without initialization, it results in mistakes > in the device counting and crashes the userspace if the get hot reset info > path is triggered. > > Fixes: f6944d4a0b87 ("vfio/pci: Collect hot-reset devices to local buffer") > Link: https://bugzilla.kernel.org/show_bug.cgi?id=219010 > Reported-by: Žilvinas Žaltiena <zaltys@natrix.lt> > Cc: Beld Zhang <beldzhang@gmail.com> > Signed-off-by: Yi Liu <yi.l.liu@intel.com> > --- > drivers/vfio/pci/vfio_pci_core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c > index 59af22f6f826..0a7bfdd08bc7 100644 > --- a/drivers/vfio/pci/vfio_pci_core.c > +++ b/drivers/vfio/pci/vfio_pci_core.c > @@ -1260,7 +1260,7 @@ static int vfio_pci_ioctl_get_pci_hot_reset_info( > struct vfio_pci_hot_reset_info hdr; > struct vfio_pci_fill_info fill = {}; > bool slot = false; > - int ret, count; > + int ret, count = 0; > > if (copy_from_user(&hdr, arg, minsz)) > return -EFAULT; Thanks, Yi! I just got back from a long weekend and was planning to debug this. Thanks for finding the bug! Alex
On Tue, Jul 09, 2024 at 05:41:50PM -0700, Yi Liu wrote: > The count variable is used without initialization, it results in mistakes > in the device counting and crashes the userspace if the get hot reset info > path is triggered. > > Fixes: f6944d4a0b87 ("vfio/pci: Collect hot-reset devices to local buffer") > Link: https://bugzilla.kernel.org/show_bug.cgi?id=219010 > Reported-by: Žilvinas Žaltiena <zaltys@natrix.lt> > Cc: Beld Zhang <beldzhang@gmail.com> > Signed-off-by: Yi Liu <yi.l.liu@intel.com> > --- > drivers/vfio/pci/vfio_pci_core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Jason
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c index 59af22f6f826..0a7bfdd08bc7 100644 --- a/drivers/vfio/pci/vfio_pci_core.c +++ b/drivers/vfio/pci/vfio_pci_core.c @@ -1260,7 +1260,7 @@ static int vfio_pci_ioctl_get_pci_hot_reset_info( struct vfio_pci_hot_reset_info hdr; struct vfio_pci_fill_info fill = {}; bool slot = false; - int ret, count; + int ret, count = 0; if (copy_from_user(&hdr, arg, minsz)) return -EFAULT;
The count variable is used without initialization, it results in mistakes in the device counting and crashes the userspace if the get hot reset info path is triggered. Fixes: f6944d4a0b87 ("vfio/pci: Collect hot-reset devices to local buffer") Link: https://bugzilla.kernel.org/show_bug.cgi?id=219010 Reported-by: Žilvinas Žaltiena <zaltys@natrix.lt> Cc: Beld Zhang <beldzhang@gmail.com> Signed-off-by: Yi Liu <yi.l.liu@intel.com> --- drivers/vfio/pci/vfio_pci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)